Dear Josh, thank you for mentioning options presented by OMSA, and yes I have switched to system JRE via OMSA GUI but I cannot uninstall vulnerable srvadm-jre package because it will also remove OMSA web:
Removing: srvadmin-jre x86_64 9.4.0-3787.15943.el7 142 M Removing for dependencies: srvadmin-tomcat x86_64 9.4.0-3787.15943.el7 51 M srvadmin-webserver x86_64 9.4.0-3787.15943.el7 9.0 Yes srvadmin-tomcat and srvadmin-webserver depends on vulnerable srvadmin-jre package so you can only remove them all together. That is why I think Dell should really drop srvadmin-jre dependency and rely exclusively on OS jre. So far I made workaround: yum install java-11-openjdk-headless.x86_64 yes you need to remove jre because Nessus will find it and report it: rm -rf /opt/dell/srvadmin/lib64/openmanage/jre ln -s /etc/alternatives/jre_11 /opt/dell/srvadmin/lib64/openmanage/jre This above workaround will survive future OS jre updates but beware of future srvadmin-jre updates as jre symlink may be problematic for future srvadmin-jre package updates. greetings, Zbigniew On 16.03.2020 18:47, [email protected] wrote: > In case you are not aware of the options presented by OMSA, it is possible to > specify system JRE rather than the bundled JRE which would allow the use of > updated JRE release. > > https://topics-cdn.dell.com/pdf/openmanage-server-administrator-v94_users-guide_en-us.pdf#page=31 > Under Webserver Preferences you will find: > > The Java Runtime Environment — Allows you to select the one of the following > options: > • Bundled JRE — Enables use of the JRE provided along with the System > Administrator. > • System JRE — Enables use of the JRE installed on the system. Select the > required version from the drop-down list > > > Generally speaking, the bundled JRE is only updated alongside full OMSA > releases which is one reason this option is provided. > > > Josh Moore > Sr. Principal Engineer, Compute & Solutions Support Team, HPC SME > Dell EMC | Infrastructure Solutions Support > [email protected] > > How am I doing? Please contact my manager [email protected] to provide > feedback. Thanks! > > Please consider the environment before printing this email. > > Confidentiality Notice: This email message, including any attachments, is for > the sole use of the intended recipient(s) and may contain confidential or > proprietary information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, > immediately contact the sender by reply e-mail and destroy all copi.es of the > original message. > > -----Original Message----- > From: linux-poweredge-bounces-Lists > <[email protected]> On Behalf Of White, Spike > Sent: Monday, March 16, 2020 12:15 PM > To: linux-poweredge-Lists > Subject: Re: [Linux-PowerEdge] srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm > vulnerable > > Zbigniew, > > I am an OMSA consumer -- same as you. > > Because we do not routinely update the OMSA versions on our older server > builds, our cybersecurity team identifies a lot of java vulnerabilities as > well. To avoid this maintenance nightmare, our team now has a policy of > doing the OMSA install minus the GUI (which also means minus java and minus > tomcat). Now We have also retrofitted our old OMSA builds -- removed the > GUI, java and tomcat. > > Occasionally, the cybersecurity team picked up tomcat vulnerabilities in the > older OMSA installs, but it's far more frequent that they picked up java > vulnerabilities. > > To install OMSA w/o the CLI isn't quite as easy as installing the full OMSA. > To install the full OMSA, you merely do a: > yum install srvadmin-all > > At least for OMSA 9.4, a colleague has gone through the list of RPMs and > determined this was the min set to install OMSA functions, but without > java/GUI: > > yum install dell-system-update srvadmin-base srvadmin-storageservices > srvadmin-idrac srvadmin-server-snmp srvadmin-server-cli > > Spike White > Dell IT > > ------------------------------ > > Message: 2 > Date: Fri, 13 Mar 2020 10:18:31 +0100 > From: "mr.zbiggy" <[email protected]> > To: [email protected] > Subject: [Linux-PowerEdge] [Security Alert] Latest Dell's > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > > [EXTERNAL EMAIL] > > Dear Dell, > > Nessus Security Scanner found your package: > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm vulnerable. Please update. > > Java JRE 1.11.0_4 from Dell's package: > srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm > has several vulnerabilities. Please update to fixed Java JRE 1.11.0_6 or stop > distributing Java JRE and start using Java from Operating System which is > faster maintained. > > Package : srvadmin-jre-9.4.0-3787.15943.el7.x86_64.rpm > Path : /opt/dell/srvadmin/lib64/openmanage/ > Installed version : 1.11.0_4 > Fixed version : 1.11.0_6 > > The version of Oracle (formerly Sun) Java SE or Java for Business installed > on the remote host is prior to 11 Update 6. It is, therefore, affected by > multiple vulnerabilities related to the following components: > - 2D > - Libraries > - Kerberos > - Networking > - JavaFX > - Hotspot > - Scripting > - Javadoc > - Deployment > - Concurrency > - JAXP > - Serialization > - Security > Nessus has not tested for these issues but has instead relied only on the > application's self-reported version number. > - Oracle Java SE and Java SE Embedded are prone to a severe division by zero, > over 'Multiple' protocol. This issue affects the 'SQLite' > component.(CVE-2019-16168) > - Oracle Java SE and Java SE Embedded are prone to format string > vulnerability, leading to a read uninitialized stack data over 'Multiple' > protocol. This issue affects the 'libxst' component. > (CVE-2019-13117, CVE-2019-13118) > - Oracle Java SE and Java SE Embedded are prone to a remote security > vulnerability. An unauthenticated remote attacker can exploit this over > 'Kerberos' protocol. This issue affects the 'Security' component. > (CVE-2020-2601, CVE-2020-2590) > - Oracle Java SE/Java SE Embedded are prone to a remote security > vulnerability. An unauthenticated remote attacker can exploit this > overmultiple protocols. This issue affects the 'Serialization' > component. (CVE-2020-2604, CVE-2020-2583) > - Oracle Java SE/Java SE Embedded are prone to a remote security > vulnerability. Tn unauthenticated remote attacker can exploit this over > multiple protocols. This issue affects the 'Networking' component. > (CVE-2020-2593, CVE-2020-2659) > - Oracle Java SE are prone to a remote security vulnerability. An > unauthenticated remote attacker can exploit this over multiple protocols. > This issue affects the 'Libraries' component. (CVE-2020-2654) > - Oracle Java SE are prone to a multiple security vulnerability. An > unauthenticated remote attacker can exploit this over multiple protocols. > This issue affects the 'JavaFX' component. (CVE-2020-2585) > - Oracle Java SE are prone to a multiple security vulnerability. An > unauthenticate remote attacker can exploit this over 'HTTPS' protocols. > This issue affects the 'JSSE' component. (CVE-2020-2655) > > iava: 2019-A-0385 > cve: CVE-2019-11068 > cve: CVE-2019-2894 > cve: CVE-2019-2933 > cve: CVE-2019-2945 > cve: CVE-2019-2949 > cve: CVE-2019-2958 > cve: CVE-2019-2962 > cve: CVE-2019-2964 > cve: CVE-2019-2973 > cve: CVE-2019-2975 > cve: CVE-2019-2977 > cve: CVE-2019-2978 > cve: CVE-2019-2981 > cve: CVE-2019-2983 > cve: CVE-2019-2987 > cve: CVE-2019-2988 > cve: CVE-2019-2989 > cve: CVE-2019-2992 > cve: CVE-2019-2996 > cve: CVE-2019-2999 > bid: 109323 > iava: 2020-A-0023 > cve: CVE-2019-13117 > cve: CVE-2019-13118 > cve: CVE-2019-16168 > cve: CVE-2020-2583 > cve: CVE-2020-2585 > cve: CVE-2020-2590 > cve: CVE-2020-2593 > cve: CVE-2020-2601 > cve: CVE-2020-2604 > cve: CVE-2020-2654 > cve: CVE-2020-2655 > cve: CVE-2020-2659 > > greetings, > Zbigniew > > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > _______________________________________________ > Linux-PowerEdge mailing list > [email protected] > https://lists.us.dell.com/mailman/listinfo/linux-poweredge > _______________________________________________ Linux-PowerEdge mailing list [email protected] https://lists.us.dell.com/mailman/listinfo/linux-poweredge
